Pages

Tuesday, April 7, 2015

A recent incident at my work came to my attention involving a takedown request for an unauthorized app in Google Play using my company's brand. This happens often in appstores all over the world, which is why having brand protection monitoring for these is really critical. It is all too easy for these to slip into even legitimate appstores like Google Play.

One thing I noticed when I was investigating this incident was that the Google Play application page has a section that allows a developer to specify a website link, with a name "Visit Website".

Google Play app metadata, including Visit Website

I happened to notice that the website link for the application in question also included our brand/company name in the URL. I wanted to visit it to see what else I could learn from what they had on that site. When I clicked on the link, however, it went through a redirect at Google (e.g. https://www.google.com/url?q=http://example.example.com) where Google Safe Browsing actually flagged the URL as a phishing site.

Google phishing warning

Which made me wonder - if Google's left hand (Safe Browsing) has knowledge of a suspected phishing site, shouldn't that inform Google's right hand (Google Play) that any application tied to such a URL is also potentially untrustworthy? Essentially, if trust can propagate transitively, then the opposite (suspicion / risk) should also propagate transitively. If you take this even further, you should propagate that suspicion through a graph from the app containing the suspicious link up to the developer of the app and then back down to any other app that developer has associated with them in Google Play. This would be something that would be easily automated given the description of the machine learning in the Google Android Security 2014 Report already done to analyze applications:

"Google’s
systems use machine learning to see patterns and make connections that humans would not. Google
Play analyzes millions of data points, asset nodes, and relationship graphs to build a high-precision
security-detection system."

I would then imagine Google Play could take one or more of several actions if URLs are provided that get Safe Browsing scores low enough:

Apps or developers and their apps could be delisted from Google Play until a human has reviewed the URL and app in more detail. Google announced just last month they are going to be augmenting human review of apps in Google Play so this would dovetail with those efforts.

Google Play could and should include clear, usable UI warnings for users searching and browsing apps about the suspicion/risk so that they can make informed trust decisions.

The Google Play Verify Apps could further come into play if apps are confirmed malware/badware/Potentially Harmful Apps (PHAs) to warn users who may have already installed such an application or block the app. This would also seem to dovetail with other recently-announced efforts in their Google Android Security 2014 Report to help crack down on these kinds of applications in the Android ecosystem.